The recent ScreenConnect vulnerability (CVE-2024-1709 & CVE-2024-1708) showed once more why it is so important to detect post-exploitation behaviour. @Huntress described in a detailed way which behaviour was identified, more on that is shared on their blog: SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708). The most important takeaway is mentioned in the last section most of the post-compromise activities we have documented in this article aren’t novel, original, or outstanding.

DFIR PowerShell V2 The DFIR PowerShell script has gotten a major update! The script provides you with a single script to collect forensic artefacts on Windows devices. Whether you are responding to incidents with Security E5 licenses or without a security budget, this tool can be executed to collect the needed information to perform the first response. This blog will discuss the following items: What’s New in Version 2.0 SIEM Import Functionality Azure Data Explorer OpenTCPConnections Visualising Evidence Defender For Endpoint Live Response What’s New in Version 2.

It is great to see that more and more repositories, blogs and other sources share security related KQL content. Therefore this post provides an updated list of KQL Security Sources to start the new year. These sources can help you to kickstart your KQL knowledge for the upcoming year, by providing learning material, detection rules, hunting queries and many more. The image below shows the increase in KQL repositories and the adoption from the community, they are becoming more and more popular, due to companies shifting to Microsoft Security solutions.

Kusto Query Language (KQL) can be your friend when it comes to prioritizing vulnerabilities, specifically when dealing with critical vulnerabilities from the CISA Known Exploited Vulnerabilities Catalog. This blog will explain what this catalog is and how KQL and/or CISAPy can help you to prioritise the vulnerabilities based on your application stack and needs. Multiple KQL examples are provided which can directly be used in your environment to determine which vulnerabilities from the catalog are still active and how they and new ones can be prioritized.

Threat intelligence reports are an essential source to be able to identify and mitigate security threats. However, the process of converting the information in these reports into actionable queries (such as Kusto Query Language (KQL)) can be challenging. In this blog post, we will explore the steps involved in going from a threat intelligence report to a KQL hunting query. This is done based on two #StopRansomware reports of the joint Cybersecurity Advisory (CSA).

If you query data that contains IP addresses this blog is something for you! It does not matter if you are a SOC Analyst, Detection Engineer, Network Engineer or a Developer all the logs that you use on a daily basis will contain IP addresses. This can be in Sentinel, Defender For Endpoint, Application Insights, Azure Firewall and many other sources. This blog will discuss some basic network related operations, before diving into useful network related KQL functions.